how to update proftpd?
- Thread starter lkbryant
- Start date
okay but looks like the latest version DA ships for proftpd (1.3.1-1) has a cross site forgery exploit.
====
The remote host is using ProFTPD, a free FTP server for Unix and Linux.
The version of ProFTPD running on the remote host splits an overly long FTP command into a series of shorter ones and executes each in turn. If an attacker can trick a ProFTPD administrator into accessing a specially-formatted HTML link, he may be able to cause arbitrary FTP commands to be executed in the context of the affected application with the administrator's privileges.
====
And unfortunately this makes the server not pci-compliant. even worse, can cause some damage to your servers.
http://www.proftpd.org/docs/NEWS-1.3.2rc3
1.3.2rc3 - Released 20-Nov-2008
--------------------------------
- Bug 3114 - Bad handling of uid/gid parameters for CreateHome.
- Bug 3115 - Cross-site request forgery.
- Bug 3116 - SQLNegativeCache with no group info can cause segfault.
- Bug 3117 - Authentication improperly allowed (Bug#2922 regression).
- Bug 3119 - Search for libcap2 in addition to libcap for mod_cap support.
- Bug 3120 - WrapTables not allowed in <Anonymous> context.
- Bug 3122 - iconv() not detected properly on FreeBSD when --enable-nls is used.
- Bug 3124 - mod_sql improperly substitutes variables in user/group names.
- Bug 3089 - Memory pool double-free on session exit after aborted data
transfer.
- Bug 3092 - FSIO API needs mechanism for allowing registered FS handlers to
permit atomic renames.
- Bug 2767 - gcc 4.0/amd64 warnings.
- Bug 3126 - Segfault in mod_sql_sqlite when user belongs to multiple groups.
- Bug 3130 - HideFiles can cause segfault.
- Bug 3131 - Session process uses 100% CPU after aborted transfer.
- Bug 3132 - Handling of SIGABRT signal leads to endless loop.
- Bug 3073 - Command arguments not decoded properly in some places.
- Bug 3135 - Aborting a download can lead to segfault in some cases.
It seems bug is fixed on the latest version.
Any plans for DA to update the proftpd to the new version?
====
The remote host is using ProFTPD, a free FTP server for Unix and Linux.
The version of ProFTPD running on the remote host splits an overly long FTP command into a series of shorter ones and executes each in turn. If an attacker can trick a ProFTPD administrator into accessing a specially-formatted HTML link, he may be able to cause arbitrary FTP commands to be executed in the context of the affected application with the administrator's privileges.
====
And unfortunately this makes the server not pci-compliant. even worse, can cause some damage to your servers.
http://www.proftpd.org/docs/NEWS-1.3.2rc3
1.3.2rc3 - Released 20-Nov-2008
--------------------------------
- Bug 3114 - Bad handling of uid/gid parameters for CreateHome.
- Bug 3115 - Cross-site request forgery.
- Bug 3116 - SQLNegativeCache with no group info can cause segfault.
- Bug 3117 - Authentication improperly allowed (Bug#2922 regression).
- Bug 3119 - Search for libcap2 in addition to libcap for mod_cap support.
- Bug 3120 - WrapTables not allowed in <Anonymous> context.
- Bug 3122 - iconv() not detected properly on FreeBSD when --enable-nls is used.
- Bug 3124 - mod_sql improperly substitutes variables in user/group names.
- Bug 3089 - Memory pool double-free on session exit after aborted data
transfer.
- Bug 3092 - FSIO API needs mechanism for allowing registered FS handlers to
permit atomic renames.
- Bug 2767 - gcc 4.0/amd64 warnings.
- Bug 3126 - Segfault in mod_sql_sqlite when user belongs to multiple groups.
- Bug 3130 - HideFiles can cause segfault.
- Bug 3131 - Session process uses 100% CPU after aborted transfer.
- Bug 3132 - Handling of SIGABRT signal leads to endless loop.
- Bug 3073 - Command arguments not decoded properly in some places.
- Bug 3135 - Aborting a download can lead to segfault in some cases.
It seems bug is fixed on the latest version.
Any plans for DA to update the proftpd to the new version?
Last edited:
- Joined
- Feb 27, 2003
- Messages
- 8,117
Hello,
Although we're not able to include release candidates into production servers, you're still welcome to update proftpd to their current candidate.
I've added a src.rpm here, for rpm systems:
Or if you have debian or freebsd, compile from source:
http://help.directadmin.com/item.php?id=82
and just grab the latest tar.gz files from www.proftpd.org
John
Although we're not able to include release candidates into production servers, you're still welcome to update proftpd to their current candidate.
I've added a src.rpm here, for rpm systems:
Code:
wget http://files.directadmin.com/services/proftpd-1.3.2rc3-1.src.rpm
rpmbuild --rebuild proftpd-1.3.2rc3-1.src.rpm
rpm -Uvh /usr/src/redhat/RPMS/i386/proftpd-1.3.2rc3-1.i386.rpmhttp://help.directadmin.com/item.php?id=82
and just grab the latest tar.gz files from www.proftpd.org
John
[root@server admin]# yum -y install rpmbuild
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
rhel-x86_64-server-5-ntta 100% |=========================| 1.2 kB 00:00
rhel-x86_64-server-5 100% |=========================| 1.2 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100% |=========================| 1.9 MB 00:00
################################################## 5848/5848
Excluding Packages in global exclude list
Finished
Parsing package install arguments
No Match for argument: rpmbuild
Nothing to do
Loading "rhnplugin" plugin
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
rhel-x86_64-server-5-ntta 100% |=========================| 1.2 kB 00:00
rhel-x86_64-server-5 100% |=========================| 1.2 kB 00:00
Reading repository metadata in from local files
primary.xml.gz 100% |=========================| 1.9 MB 00:00
################################################## 5848/5848
Excluding Packages in global exclude list
Finished
Parsing package install arguments
No Match for argument: rpmbuild
Nothing to do